]]>In my last post I explained why, as building management systems (BMSs) become more intelligent and connected, it’s incumbent on facilities managers to ensure they are properly secured. Because the systems are connected to the Internet, they are susceptible to many of the same security threats as IT systems. As a result, we need to use best practices similar to those used in IT to secure BMSs.

In the last post I went through some of the best practices related to securing network connections, or points of entry. This time I’ll tackle a topic that’s far more basic but no less important: passwords.

Most attacks on BMS devices are successful because a password has been compromised. Simply put, at some point an intruder has to guess a user’s password in order to gain entry to a BMS. A best practice, then, is to make that job far more difficult.

Two simple tactics will go a long way in doing just that: changing default passwords on devices and ensuring new passwords are complex enough that they cannot be easily broken.

Secure your BMS: Change the default password

Virtually any password-protected product ships with a default password that is easily guessed or located, so it’s imperative that they be changed immediately. Failure to take this simple step greatly increases the risk the device will be compromised at some point.

Default credential values for all sorts of devices are readily available on the Internet, a mere Google search away for a would-be intruder. Combine that with search engines that routinely scan for accessible Internet-connected devices, including BMS devices, and you have a recipe for an easy break-in.

At a minimum, then, a device’s default credentials should be changed before it is ever connected to the Internet. A best practice is to change the default credentials when the device is first unpacked.

Best practices for ensuring password complexity

The next question, then, is what is a reasonable password to use? Don’t even think about a 6 or 8-character alphanumeric password; that’s just too simple. Hackers these days have access to inexpensive machines that can easily test up to 348 billion passwords per second. To provide any real level of protection, you need lengthy, complex passwords.

At least one numeric, one lowercase alphabetic, one uppercase alphabetic character and special characters in each password

Another alternative is to use a passphrase instead of a password. Remembering even a long phrase will likely be easier than remembering a 10-character, complex alpha-numeric password. The longer the passphrase is, the more difficult it will be to crack. Maybe the phrase has to do with a favorite saying (EarlytoBedandEarlytoRise), sports figure (TheSplendidSplinter), or passage from a poem (AndMilestoGoBeforeISleep). It doesn’t matter so long as it’s easy for the user to remember and sufficiently long. Note that capitalizing letters of each word makes it that much stronger.

The final best practice with respect to passwords is to change them on a regular schedule. The theory is passwords should be changed within whatever period of time it would take to crack them. Based upon that theory, a longer, more complicated password will need to be changed less frequently. (Sites such as The Password Meter can help you assess that.)

Many BMS devices will be the field for 15 to 30 years and may not be accessed often, so making the password more complex is the only good way to adequately protect these systems. When devices aren’t accessed for years at a time, password lengths of 15 characters or more are recommended.

Jon Williamson, CSSLP, is the Schneider Electric Building Systems Communication Officer. Active in the BMS market for over 19 years, he has practical and product management experience in system deployment, networking and protocols. In his current role, he is responsible for system architecture, communication protocols and cybersecurity requirements. Jon holds a Mechanical Engineering degree from the University of New Hampshire in Durham.

]]>https://blog.schneider-electric.com/building-management/2015/07/23/secure-your-bms-follow-these-password-best-practices/feed/2Why You Need to Apply Network Security Best Practices to Your BMShttps://blog.schneider-electric.com/building-management/2015/06/30/why-you-need-to-apply-network-security-best-practices-to-your-bms/
https://blog.schneider-electric.com/building-management/2015/06/30/why-you-need-to-apply-network-security-best-practices-to-your-bms/#respondTue, 30 Jun 2015 12:00:48 +0000http://blog.schneider-electric.com/?p=23287As building management systems (BMSs) become more intelligent, collecting information from hundreds if not thousands of devices distributed throughout a building or campus, they are also becoming more susceptible to... Read more »

]]>As building management systems (BMSs) become more intelligent, collecting information from hundreds if not thousands of devices distributed throughout a building or campus, they are also becoming more susceptible to a risk that has long been associated with IT systems: security breaches.

As IT managers know well, the risk of a cybersecurity breach is all too real and not at all uncommon. In PWC’s 2014 US State of Cybercrime Survey, more than three quarters of respondents (77%) said they detected a security event in the past 12 months. More than a third said the number of security incidents detected increased as compared to the previous year.

Typically, respondents are detecting far more than a single event; the average for 2013 was 135 per organization. And then there are the organizations that are unaware they’re being targeted. As the PWC report says:

Underscoring the threat, the FBI last year notified 3,000 US companies—ranging from small banks, major defense contractors, and leading retailers—that they had been victims of cyber intrusions.

Of course it’s not just U.S. companies that are having security issues. Another PWC study, the 2015 Global State of Information Security Survey, collected data from from 9,700 respondents representing more than 150 countries. They reported 42.8 million security incidents, an increase of 48% from the previous year’s survey. Since 2009, the survey shows security incidents rising at a staggering 66% compound annual growth rate.

Given statistics like that, facilities managers would do well to take steps to secure their intelligent BMSs .

The issue is the BMSs are attached to the company’s network, along with other IT systems. Those networks are also likely attached to the Internet, which potentially opens the BMS to attack from outside intruders. As a result, facilities managers now have to take steps to secure their BMSs, just as IT departments secure their data centers and systems.

The good news is the “best practices” IT groups have developed over the years can be applied to the BMS systems. In this post, I’ll touch on a few that have to do with network security.

In a nutshell, network security focuses chiefly on securing “points of entry,” meaning the avenues which intruders use to attack a corporate network. These include Web interfaces, USB ports, and building automation devices communicating using open protocols.

Any device having a Web interface, meaning you can connect to it via a Web browser, should be of concern. If you can reach it via a Web browser, so can potential intruders. A best practice is to visit the BMS device manufacturer’s web site to locate information about Web interface security and potential vulnerabilities. Any device needing to be accessed via the Internet should be placed behind a firewall.

USB ports are another concern. Software drivers associated with these ports are designed to automatically run programs found on devices inserted into the ports. The USB designers felt this “Auto Run” feature would be convenient.

It may be, but it’s also dangerous. Should a user unknowingly insert a device containing malware, it will automatically run. Once loaded onto the device it can potentially infect computers across the company network.

USB devices are the subject of common social engineering attacks. Various techniques are employed to trick users into inserting USB flash drives into devices. An attacker may just drop them in the corporate parking lot or give them away as prizes. So the best practice with USB devices is to only use devices for which you know the total usage history.

Another issue relates to some of the “open” protocols used in the BMS industry. Such protocols are inherently insecure and have vulnerabilities that may allow an intruder to inject commands into the controlling device. A best practice is to physically secure any network segments that support traffic carrying open protocols. This means keeping open protocol segments separate from any Internet connected network segments.

]]>https://blog.schneider-electric.com/building-management/2015/06/30/why-you-need-to-apply-network-security-best-practices-to-your-bms/feed/0How safe are your building operations from cyber attacks?https://blog.schneider-electric.com/building-management/2014/11/14/safe-building-operations-cyber-attacks/
https://blog.schneider-electric.com/building-management/2014/11/14/safe-building-operations-cyber-attacks/#respondFri, 14 Nov 2014 18:59:34 +0000http://blog.schneider-electric.com/?p=17770Although estimates vary, businesses worldwide lose billions each year to cyber crime, according to a report by McAfee and the Center for Strategic and International Studies. The modern building management... Read more »

]]>Although estimates vary, businesses worldwide lose billions each year to cyber crime, according to a report by McAfee and the Center for Strategic and International Studies.

The modern building management system (BMS) connects to the Internet and is susceptible to intrusion. Unlike traditional, stand-alone systems, today’s intelligent building management systems (BMS) link through open protocols to IT data centers, remote access servers, and utilities.

While benefits far outweigh the risks, an integrated BMS can open an organization up to greater cybersecurity vulnerabilities.

Financial consequences of a cyber attack, broken down across six categories. (Source: “Understanding the economics of IT risk and reputation,” IBM, 2013)

Cybersecurity “best practices” to mitigate vulnerabilities

Commonsense measures can help to mitigate building management cybersecurity risks and any resulting financial losses. Recommended best practices include:

Password management: Change default passwords before installing devices, make passwords more complex, and set up unique credentials for each site.

User management: Grant users only the minimum amount of authority necessary to perform their jobs. This can help control any risks presented by unauthorized users or disgruntled employees.

Software management: Apply software security patches as they become available, and limit deployment to authorized users.

Vulnerability management: Develop a vulnerability management plan covering all types of risks and establish a formal document for each installation.

Hackers take the path of least resistance

The harder a system is to crack, the better the chances that it will be ignored by a would-be hacker. Following these best practices can make hacking a building system more difficult for cyber criminals.

Bolstering awareness of cybersecurity across an enterprise can also help guard against hackers. Not all employees can be experts in cybersecurity, but effective and regular cybersecurity training makes everyone aware of vulnerabilities and improves the chances of identifying and denying cyber attacks.